Enroll Android devices

  • 8 minutes

Microsoft Intune provides extensive management capabilities for Android devices, allowing organizations to secure corporate data while enabling users to be productive on the devices they prefer.

Android Enterprise

Android Enterprise is the modern, Google-recommended management framework. It makes it easier to define the scope of management, balancing what information is managed by IT and what remains private to the user.

  • Android Enterprise personally owned devices with a work profile (BYOD): Intune helps you deploy apps and settings to personal devices by creating a secure, isolated "work profile." Management capabilities only affect this work profile. Users can install any app they choose on the personal side of the device, and IT can't see or wipe their personal data.
  • Android Enterprise corporate-owned work profile (COPE): Corporate-Owned, Personally Enabled. This is for devices owned by the organization but where employees are allowed to use them for personal tasks. It provides the same secure work profile separation as BYOD, but gives IT broader control over the entire device (e.g., enforcing device-wide Wi-Fi, wiping the entire device, or blocking certain apps on the personal side).
  • Android Enterprise corporate-owned fully managed (COBO): Corporate-Owned, Business Only. For devices used exclusively for work and not personal use. Admins manage the entire device and enforce strict policy controls, preventing users from installing unapproved personal apps.
  • Android Enterprise corporate-owned dedicated devices (COSU): Corporate-Owned, Single Use. For devices locked to a specific task, such as digital signage, ticket printing, or inventory scanners. Admins lock down the device to a limited set of apps (often using a Kiosk mode or Managed Home Screen) and prevent users from accessing the broader OS settings.

Important

Android device administrator (DA) is the legacy Android management method and is deprecated. DA management is no longer available for devices with access to Google Mobile Services (GMS), and Intune ended support for DA on GMS devices in August 2024. If your organization has existing DA-enrolled devices, migrate them to Android Enterprise (work profile for BYOD, or fully managed/COPE for corporate). To prevent new DA enrollments, configure an enrollment restriction that blocks Android device administrator. For new enrollments on non-GMS devices, use Android Open Source Project (AOSP) enrollment.

Prerequisites: Connecting Managed Google Play

To use any Android Enterprise enrollment method, including zero-touch, fully managed, or BYOD, you must link your Intune tenant to a Managed Google Play account. This connection enables Intune to manage applications and push policies to Android devices.

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices > Enrollment.
  3. Select the Android tab.
  4. Under Prerequisites, select Managed Google Play.
  5. Select I agree to grant Microsoft permission to send user and device information to Google.
  6. Select Launch Google to connect now to open the Managed Google Play website.
  7. Sign in with a Google account (Gmail or Google Workspace) that will be associated with your organization's Android Enterprise management.
  8. Follow the on-screen steps to complete the registration.

Once you have completed the registration on the Google side, the status in Intune will change to Setup.

Enroll personal devices (BYOD)

You can let users enroll their personal devices for Intune management (BYOD). Once you've completed the prerequisites and assigned users licenses, they can download the Intune Company Portal app from the Google Play Store, and follow enrollment instructions in the app.

To enroll an Android device using the Company Portal, users perform the following steps:

  1. Install the Intune Company Portal app from Google Play.
  2. Open the Company Portal app.
  3. On the Company Portal Welcome screen, tap Sign in, and then sign in with your work or school account.
  4. Follow the instructions given in the Company Portal to create the Work Profile. The end-user experience can vary based on the policies assigned to the user and/or device.

Enroll corporate-owned fully managed devices

For devices owned by the organization and assigned to a specific user, you must use the Fully Managed enrollment method. The device must be brand new or factory reset to initiate this process.

  1. In the Intune admin center, go to Devices > Enrollment > Android > Corporate-owned, fully managed user devices.
  2. Create an enrollment profile to generate your enrollment QR code (or token).
  3. Turn on the new or factory-reset Android device.
  4. On the very first Welcome screen, tap the screen seven times in the exact same spot to launch the hidden Android QR code reader.
  5. Connect the device to a Wi-Fi network when prompted.
  6. Scan the Intune enrollment QR code displayed on your admin screen.
  7. The device will download the management agent. The user will then be prompted to sign in with their corporate credentials, locking the device into fully managed mode.

Google Android Zero-Touch Enrollment (ZTE)

Use this method for non-Samsung Android devices (e.g., Google Pixel, Motorola, Nokia) purchased through an authorized zero-touch reseller.

  1. Purchase from an authorized reseller: You can't use standard retail devices for ZTE. Your authorized enterprise reseller will automatically upload the device IMEIs/Serial Numbers to your company's zero-touch portal upon purchase.
  2. Log in to the Google Zero-Touch Portal: Access the portal using your corporate Google account associated with your enterprise.
  3. Create a Configuration:
    • Navigate to Configurations and click the + icon.
    • Set the EMM DPC to Microsoft Intune.
    • In the DPC Extras field, paste a JSON string containing the Intune Enrollment Token you copied earlier (e.g., {"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "YOUR_TOKEN_HERE"}}).
  4. Assign the Configuration: Go to the Devices tab and assign your new Intune configuration to the newly purchased devices.

Samsung Knox Mobile Enrollment (KME)

Samsung Knox Mobile Enrollment (KME) is a zero-touch provisioning solution that automates the onboarding of corporate-owned Android devices into your mobile device management (MDM) platform, such as Microsoft Intune. By registering device serial numbers in the Knox portal, IT administrators ensure that devices automatically download corporate security policies and configurations the moment they connect to a network. This simplified process eliminates the need for manual device setup, preventing end-users from bypassing management controls and allowing organizations to securely drop-ship devices directly to employees.

  1. Log in to the Knox Admin Portal: Navigate to the Samsung Knox web portal and sign in with your enterprise credentials.
  2. Create an MDM Profile:
    • Go to MDM Profiles and click Create Profile.
    • Select Android Enterprise.
    • Choose Force Device Owner enrollment.
    • Select Microsoft Intune as your MDM environment and paste your Intune Enrollment Token into the Custom JSON payload field.
  3. Add Devices to the Portal:
    • Automated: Purchase from a Samsung Knox authorized reseller who uploads the devices for you.
    • Manual: Use the Knox Deployment App on a master smartphone to scan the NFC or QR code of unboxed Samsung devices to add them to your portal.
  4. Assign the Profile: Select your uploaded devices and apply the Intune MDM profile.

Enroll corporate-owned dedicated devices (Kiosk)

Dedicated devices follow a nearly identical hardware provisioning process as Fully Managed devices, but they don't require a user to sign in, making them perfect for kiosks or shared scanners.

  1. In the Intune admin center, go to Devices > Enrollment > Android > Corporate-owned dedicated devices.
  2. Create an enrollment profile to generate a specific dedicated enrollment QR code.
  3. Turn on a new or factory-reset Android device.
  4. Tap the Welcome screen seven times to launch the QR code reader.
  5. Connect to Wi-Fi and scan the dedicated enrollment QR code.
  6. The device will automatically enroll and apply your kiosk configurations, completely bypassing the user sign-in screen.